Jump to content

Ransomware eventually caught by MBAM but after it encrypted data


Recommended Posts

I have a fully functional ransomware sample that was stopped by MBAM Ransomware but the detection took longer than expected.  The sample was able to start encrypting a small number of legitimate files before being quarantined.  It's worth nothing the anti-malware component detects it immediately so there's no real issue but I disabled that protection to see if/how fast the anti-ransomware would catch it.

I'm wondering if this delay in Anti-Ransomware functionality is expected?

Link to post
Share on other sites

That is correct.  I know the 'solution' is to enable all 4 parts but this is just a question I had after playing with a sample I encountered yesterday in my professional life.  This let's me simulate a scenario where anti-malware missed the threat but anti-ransomware did it's job.  Was just curious to know if the delay in quarantine is intentional, a side-affect of how its implemented or something else.

Link to post
Share on other sites

I do not know for certain, but my best guess would be that this delay is due to which component of our anti-ransomware protection is detecting the threat.  There are several algorithms and components within the ransomware protection module, some of which are behavior based, and that's likely the one reacting to this sample which explains why a certain number of files get encrypted before it reacts.  It's observing the behavior of the process and once it sees enough to determine a positive ID as ransomware it steps in and shuts it down, quarantining the threat.

Link to post
Share on other sites

 

55 minutes ago, exile360 said:

I do not know for certain, but my best guess would be that this delay is due to which component of our anti-ransomware protection is detecting the threat.  There are several algorithms and components within the ransomware protection module, some of which are behavior based, and that's likely the one reacting to this sample which explains why a certain number of files get encrypted before it reacts.  It's observing the behavior of the process and once it sees enough to determine a positive ID as ransomware it steps in and shuts it down, quarantining the threat.

Thanks!  That makes sense.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.